security

Security Implications of MCP Configurations in OpenAI Plugins: OAuth, Static Tools, and Transport Hardening

June 6, 2026 openai/plugins ↗

MCP configurations in OpenAI plugins rely on OAuth-driven token exchange, static tool generation, and short-lived scoped credentials to prevent secret leakage, reduce attack surfaces, and ensure agents cannot invoke insecure paths.

The openai/plugins repository demonstrates how Model Context Protocol (MCP) configurations determine security boundaries for AI agents interacting with remote services. Because MCP routes agents to external endpoints, its configuration governs authentication flows, credential scoping, and transport layer security. Understanding these mechanisms is essential for securing plugin architectures against unauthorized access and data exposure.

OAuth Authentication and Secret Management

MCP clients in the OpenAI plugins ecosystem use the @ai-sdk/mcp library to automatically negotiate OAuth tokens for remote MCP servers. This design eliminates the need for developers to embed API keys directly in skill definitions, significantly reducing the risk of credential exposure in version-controlled files.

According to plugins/vercel/skills/ai-sdk/SKILL.md, the client instantiation handles token acquisition transparently. For Wix-based implementations, the @wix/cli mints site-scoped tokens that are short-lived and project-specific, ensuring that compromised tokens cannot access resources beyond their intended scope. As documented in plugins/wix/skills/wix-headless/references/shared/AUTHENTICATION.md, raw secrets must never transmit through MCP-enabled skills; instead, the system relies entirely on these ephemeral OAuth tokens.

Static Tool Generation and Attack Surface Reduction

To prevent exposure of dynamic internal endpoints, the mcp-to-ai-sdk CLI extracts static tool definitions from live MCP servers. This process generates version-controlled JSON files that limit the attack surface by preventing agents from discovering or invoking arbitrary endpoints that may exist on the MCP server.

The plugins/vercel/vercel.md file emphasizes that static tool generation is a security requirement rather than merely a convenience. By freezing the tool schema in the repository, developers ensure that agents can only invoke pre-approved methods, blocking potential exploitation of dynamically registered or undocumented endpoints.

Defensive Fallback Strategies and State Consistency

When an MCP server lacks a specific capability, skills must implement fallback logic to direct REST API calls or CLI commands. This prevents agents from over-relying on MCP and inadvertently invoking insecure or incomplete paths. The plugins/wix/skills/wix-headless/SKILL.md explicitly warns against mixing MCP-based tools (such as WixSiteBuilder) with parallel native flows, as this can trigger duplicate resource builds and race conditions that open denial-of-service windows or create data inconsistency.

Fallback implementations should verify MCP availability before executing alternative paths. This dual-path design ensures operational continuity without bypassing security controls when the MCP server is unreachable or lacks the requested method.

Infrastructure Security and Transport Hardening

Vercel’s firewall integration exposes security controls as an MCP tool named vercel.security.readFirewallConfig. Because this tool executes server-side within the vercel-firewall skill, it can enforce OWASP-grade rule sets without revealing underlying infrastructure details to the agent. The tool definition resides in plugins/vercel/skills/vercel-firewall/SKILL.md.

Transport layer security is further hardened through the use of Streamable HTTP, a modern transport mechanism that replaces Server-Sent Events (SSE). As implemented in plugins/vercel/skills/vercel-api/SKILL.md, this protocol eliminates long-lived streaming connections, thereby reducing the risk of resource exhaustion attacks and connection hijacking.

MCP Discovery and Data Minimization

Skills should consult static API reference files before invoking MCP servers, using MCP only to fill capability gaps. This "MCP-only-for-gaps" policy, documented in plugins/wix/skills/wix-app/SKILL.md, limits unnecessary network calls and restricts the volume of data an agent can extract from remote services. By applying maxResults limits and preferring static documentation over dynamic discovery, the configuration minimizes exposure to excessive data retrieval.

Implementation Examples

Creating a Secure MCP Client

The following pattern demonstrates OAuth token acquisition without embedded secrets:

import { createMCPClient } from "@ai-sdk/mcp";

const mcpClient = await createMCPClient({
  // The URL of the remote MCP server (e.g. Vercel)
  endpoint: "https://my-project.vercel.app/api/mcp",
  // OAuth scopes are declared in the MCP server; the client auto-fetches a token.
  // No API keys are stored in the source code.
});

This implementation follows the security model described in plugins/vercel/skills/ai-sdk/SKILLMD.

Generating Static Tool Definitions

Audit the MCP surface by extracting static definitions before deployment:


# Install the helper CLI (once):

npm i -g mcp-to-ai-sdk

# Pull the live MCP schema and write a JSON definition:

mcp-to-ai-sdk \
  --endpoint https://my-project.vercel.app/api/mcp \
  --output ./static-tools/vercel-mcp-tools.json

Static generation requirements are detailed in plugins/vercel/vercel.md.

Implementing REST Fallbacks

When MCP lacks a method, fall back to direct API calls with environment-scoped credentials:

import fetch from "node-fetch";

async function listProjects() {
  // Try MCP first
  const mcpResult = await mcpClient.call("listProjects");
  if (mcpResult?.success) return mcpResult.data;

  // Fallback – Vercel REST API (requires a VERCEL_TOKEN env var)
  const resp = await fetch("https://api.vercel.com/v9/projects", {
    headers: { Authorization: `Bearer ${process.env.VERCEL_TOKEN}` },
  });
  const { projects } = await resp.json();
  return projects;
}

The dual-path design is outlined in plugins/wix/skills/wix-headless/SKILL.md.

Querying Firewall Configuration via MCP

Access security configurations through the read-only MCP tool:

// Assume mcpClient is already created.
const firewallConfig = await mcpClient.call("vercel.security.readFirewallConfig", {
  projectId: "prj_ABC123",
  teamId: "team_XYZ789",
});
console.log("Current firewall rules:", firewallConfig.rules);

The firewall MCP definition is stored in plugins/vercel/skills/vercel-firewall/SKILL.md.

Summary

OAuth token exchange via @ai-sdk/mcp eliminates embedded API keys and enables short-lived, scoped credentials.
Static tool generation using mcp-to-ai-sdk reduces attack surfaces by preventing dynamic endpoint discovery.
Fallback mechanisms to REST/CLI prevent over-reliance on MCP while avoiding insecure execution paths.
State conflict prevention requires avoiding simultaneous use of MCP tools and native flows to prevent duplicate builds.
Streamable HTTP transport replaces SSE to mitigate resource exhaustion risks.
Data minimization policies limit MCP invocations to capability gaps only, reducing data exposure.

Frequently Asked Questions

How do MCP configurations prevent API key leakage in OpenAI plugins?

MCP configurations leverage OAuth token exchange through libraries like @ai-sdk/mcp rather than embedding static API keys in skill definitions. The tokens are short-lived, project-scoped, and minted by authorized CLIs such as @wix/cli or Vercel's OAuth flow, ensuring that raw credentials never appear in source code or environment files accessible to agents.

Why should tool definitions be static rather than dynamic?

Static tool definitions, generated via the mcp-to-ai-sdk CLI and version-controlled as JSON files, prevent agents from discovering and invoking arbitrary internal endpoints that might exist on the MCP server. This approach limits the attack surface to explicitly approved methods and prevents exploitation of undocumented or dynamically registered capabilities.

What transport protocol does Vercel use to secure MCP connections?

Vercel employs Streamable HTTP as the transport protocol for MCP servers, replacing the older Server-Sent Events (SSE) mechanism. This eliminates long-lived streaming connections, thereby reducing the risk of connection hijacking and resource exhaustion attacks while maintaining full-duplex communication capabilities.

How do fallback mechanisms protect against MCP server failures?

Fallback mechanisms detect when an MCP server lacks a requested capability and automatically route the operation to secure REST APIs or CLI commands. This prevents agents from attempting to force execution through potentially insecure paths when MCP is unavailable, while maintaining operational continuity through alternative authentication methods like environment-scoped VERCEL_TOKEN.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how openai/plugins works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →